Amazon Linux 2 Security Advisory: ALAS2-2018-983
Advisory Released Date: 2018-04-05
Advisory Updated Date: 2025-09-23
Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution:
The "lazy_initialize" function in lib/resolv.rb did not properly process certain filenames. A remote attacker could possibly exploit this flaw to inject and execute arbitrary commands. (CVE-2017-17790)
Affected Packages:
ruby
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update ruby or yum update --advisory ALAS2-2018-983 to update your system.
noarch:
rubygems-2.0.14.1-33.amzn2.0.1.noarch
rubygems-devel-2.0.14.1-33.amzn2.0.1.noarch
rubygem-rake-0.9.6-33.amzn2.0.1.noarch
ruby-irb-2.0.0.648-33.amzn2.0.1.noarch
rubygem-rdoc-4.0.0-33.amzn2.0.1.noarch
ruby-doc-2.0.0.648-33.amzn2.0.1.noarch
rubygem-minitest-4.3.2-33.amzn2.0.1.noarch
src:
ruby-2.0.0.648-33.amzn2.0.1.src
x86_64:
ruby-2.0.0.648-33.amzn2.0.1.x86_64
ruby-devel-2.0.0.648-33.amzn2.0.1.x86_64
ruby-libs-2.0.0.648-33.amzn2.0.1.x86_64
rubygem-bigdecimal-1.2.0-33.amzn2.0.1.x86_64
rubygem-io-console-0.4.2-33.amzn2.0.1.x86_64
rubygem-json-1.7.7-33.amzn2.0.1.x86_64
rubygem-psych-2.0.0-33.amzn2.0.1.x86_64
ruby-tcltk-2.0.0.648-33.amzn2.0.1.x86_64
ruby-debuginfo-2.0.0.648-33.amzn2.0.1.x86_64
2025-09-23: CVE-2018-1000073 was removed to this advisory.
2025-09-23: CVE-2018-1000074 was removed to this advisory.
2025-09-23: CVE-2018-1000075 was removed to this advisory.
2025-09-23: CVE-2018-1000076 was removed to this advisory.
2025-09-23: CVE-2018-1000077 was removed to this advisory.
2025-09-23: CVE-2018-1000078 was removed to this advisory.
2025-09-23: CVE-2018-1000079 was removed to this advisory.
2025-09-23: The severity of this advisory has been changed from medium to low.